From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet
2026-06-17 • Microsoft •
Sapphire Sleet compromised the Mastra npm ecosystem by taking over the `ehindero` maintainer account and injecting the malicious `easy-day-js` typosquat into more than 140 `mastra` and `@mastra` packages. The weaponized package ran a postinstall dropper that disabled TLS validation, contacted C2 infrastructure, downloaded a cross-platform Node.js tasking client, and established persistence on Windows, macOS, and Linux. On selected Windows hosts, the actor delivered a PowerShell backdoor, performed host and wallet-extension reconnaissance, added Defender exclusions, and installed a SYSTEM-level `scdev` service for boot persistence. Microsoft assesses the activity with high confidence as Sapphire Sleet, a North Korean actor focused on cryptocurrency, blockchain, venture capital, and other financial targets.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 4a8860240e4231c3a74c81949be655a… | 2026-06-17 | 2026-06-18 |
| HASH | 221c45a790dec2a296af57969e1165a… | 2026-06-16 | 2026-06-18 |
| URL | https://23.254.164.92:8000/upda… | 2026-06-16 | 2026-06-18 |
| IPv4 | 23.254.164.123 | 2026-06-16 | 2026-06-18 |
| IPv4 | 23.254.164.92 | 2026-06-16 | 2026-06-18 |
| HASH | 1d1bf5e8c1539d2f05b1429235b8f49… | 2026-06-17 | 2026-06-17 |
| HASH | 50eae63d3e24be9ca8803f4b5a0408a… | 2026-06-17 | 2026-06-17 |
| HASH | b73de25c053c3225a077738a1fcbd9c… | 2026-06-17 | 2026-06-17 |
| HASH | ae70dd4f6bc0d1c8c2848e4e6b51934… | 2026-06-17 | 2026-06-17 |
| HASH | b122a9873bedf145ae2a7fd024b5f30… | 2026-06-17 | 2026-06-17 |
| [email protected] | 2026-06-17 | 2026-06-17 | |
| URL | https://maskasd.com/8555575039 | 2026-06-17 | 2026-06-17 |
| URL | https://teams.onweblive.org/api… | 2026-06-17 | 2026-06-17 |
| DOMAIN | maskasd.com | 2026-06-17 | 2026-06-17 |
| DOMAIN | teams.onweblive.org | 2026-06-17 | 2026-06-17 |
| [email protected] | 2026-06-16 | 2026-06-17 |